Use the defvs_ruleset paramater when mounting a jail's /dev,

instead of a mount.devfs.ruleset pseudo-parameter.

usr.sbin/jail/command.c

@@ -417,6 +417,7 @@ run_command(struct cfjail *j)
 		break;
 
 	case IP_MOUNT_DEVFS:
+		argv = alloca(7 * sizeof(char *));
 		path = string_param(j->intparams[KP_PATH]);
 		if (path == NULL) {
 			jail_warnx(j, "mount.devfs: no path");
@@ -428,22 +429,21 @@ run_command(struct cfjail *j)
 		    down ? "devfs" : NULL) < 0)
 			return -1;
 		if (down) {
-			argv = alloca(3 * sizeof(char *));
 			*(const char **)&argv[0] = "/sbin/umount";
 			argv[1] = devpath;
 			argv[2] = NULL;
 		} else {
-			argv = alloca(4 * sizeof(char *));
-			*(const char **)&argv[0] = _PATH_BSHELL;
-			*(const char **)&argv[1] = "-c";
-			ruleset = string_param(j->intparams
-			    [IP_MOUNT_DEVFS_RULESET]);
-			argv[2] = alloca(strlen(path) +
-			    (ruleset ? strlen(ruleset) + 1 : 0) + 56);
-			sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; "
-			    "devfs_mount_jail %s/dev%s%s", path,
-			    ruleset ? " " : "", ruleset ? ruleset : "");
-			argv[3] = NULL;
+			*(const char **)&argv[0] = _PATH_MOUNT;
+			*(const char **)&argv[1] = "-t";
+			*(const char **)&argv[2] = "devfs";
+			ruleset = string_param(j->intparams[KP_DEVFS_RULESET]);
+			if (!ruleset)
+			    ruleset = "4";	/* devfsrules_jail */
+			argv[3] = alloca(11 + strlen(ruleset));
+			sprintf(argv[3], "-oruleset=%s", ruleset);
+			*(const char **)&argv[4] = ".";
+			argv[5] = devpath;
+			argv[6] = NULL;
 		}
 		break;
 

usr.sbin/jail/config.c

@@ -81,7 +81,6 @@ static const struct ipspec intparams[] = {
 #endif
     [IP_MOUNT] =		{"mount",		PF_INTERNAL},
     [IP_MOUNT_DEVFS] =		{"mount.devfs",		PF_INTERNAL | PF_BOOL},
-    [IP_MOUNT_DEVFS_RULESET]=	{"mount.devfs.ruleset",	PF_INTERNAL},
     [IP_MOUNT_FSTAB] =		{"mount.fstab",		PF_INTERNAL},
     [IP_STOP_TIMEOUT] =		{"stop.timeout",	PF_INTERNAL | PF_INT},
     [IP_VNET_INTERFACE] =	{"vnet.interface",	PF_INTERNAL},
@@ -99,6 +98,7 @@ static const struct ipspec intparams[] = {
     [KP_ALLOW_SET_HOSTNAME]=	{"allow.set_hostname",	0},
     [KP_ALLOW_SOCKET_AF] =	{"allow.socket_af",	0},
     [KP_ALLOW_SYSVIPC] =	{"allow.sysvipc",	0},
+    [KP_DEVFS_RULESET] =	{"devfs_ruleset",	0},
     [KP_ENFORCE_STATFS] =	{"enforce_statfs",	0},
     [KP_HOST_HOSTNAME] =	{"host.hostname",	0},
 #ifdef INET

usr.sbin/jail/jail.8

@@ -693,15 +693,10 @@ format file containing filesystems to mount before creating a jail.
 .It Va mount.devfs
 Mount a
 .Xr devfs
- filesystem on the chrooted /dev directory, and run
-.Xr devfs 8
+filesystem on the chrooted /dev directory, and apply the ruleset in the
+.Va devfs_ruleset
+parameter (or a default of ruleset 4: devfsrules_jail)
 to restrict the devices visible inside the prison.
-.It Va mount.devfs.ruleset
-The ruleset from
-.Xr devfs.rules 5
-to use when mounting a devfs filesystem.
-The default ruleset is
-.Dq devfsrules_jail .
 .It Va allow.dying
 Allow making changes to a
 .Va dying

usr.sbin/jail/jailp.h

@@ -93,7 +93,6 @@ enum intparam {
 #endif
 	IP_MOUNT,		/* Mount points in fstab(5) form */
 	IP_MOUNT_DEVFS,		/* Mount /dev under prison root */
-	IP_MOUNT_DEVFS_RULESET,	/* Ruleset for the devfs mount */
 	IP_MOUNT_FSTAB,		/* A standard fstab(5) file */
 	IP_STOP_TIMEOUT,	/* Time to wait after sending SIGTERM */
 	IP_VNET_INTERFACE,	/* Assign interface(s) to vnet jail */
@@ -111,6 +110,7 @@ enum intparam {
 	KP_ALLOW_SET_HOSTNAME,
 	KP_ALLOW_SOCKET_AF,
 	KP_ALLOW_SYSVIPC,
+	KP_DEVFS_RULESET,
 	KP_ENFORCE_STATFS,
 	KP_HOST_HOSTNAME,
 #ifdef INET